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Abstract 

We wish to abstract nodes in a reactive programming language, such 
as Lustre, into nodes with a simpler control structure, with a bound on 
the number of control states. In order to do so, we compute disjunctive 
invariants in predicate abstraction, with a bounded number of disjuncts, 
then we abstract the node, each disjunct representing an abstract state. 
The computation of the disjunctive invariant is performed by a form of 
quantifier elimination expressed using SMT-solving. 

The same method can also be used to obtain disjunctive loop invari- 
ants. 

1 Introduction 

Our goal is to be able to compute sound abstractions of reactive nodes, with 
tunable precision. A reactive node in a language such as Lustre^ or ScadeH 
SaoH or even Simulink0 has input streams, output streams, and an (optional) 
internal state: at each clock cycle, the value on each output is a function of the 
values on the inputs and the state; and so is the next value of the state. 

If the state consists in a finite vector of Booleans, or other finite values, 
then the node is a finite automaton, with transitions guarded according to the 
current values of the inputs, and for each state a relation between the current 
values of the inputs and the current values of the outputs. This is often referred 
to as the control structure of the reactive program. The problem with that 
representation, which exposes the full internal state, is that the number of states 
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grows exponentially with the number of state variables, making it unwieldy for 
analysis. The problem is even more severe if the control conditions are not 
directly exposed as Boolean state variables, but as predicates over, say, integer 
or real variables (see example in Sec. S]). 

The main contribution of this article is a method for constructing a more 
abstract automaton, with a bounded number of states (< n), whose behaviors 
still over- approximate the behaviors of the node. In order to do so: 

1. We compute an over- approximation of the set of reachable states of the 
node, in an unspecified context, as a union of at most n "abstract states" , 
each defined by a conjunction of constraints (these abstract states need 
not be disjoint). 

2. We compute the most precise transition relation between these abstract 
states. 

This automatic abstraction maps a reactive node into another, more abstract 
(and, in general, nondeterministic) reactive node. This enables modular and 
compositional analysis: if a node is composed of several nodes, then one can 
replace each of these nodes by its abstraction, and then analyze the compound 
node. 

As a secondary contribution, the analysis method at step [1] can also be 
used to obtain disjunctive loop invariants for imperative programs (or, more 
generally, invariants for arbitrary control flow graphs), given a precondition and 
an optional postcondition. We describe this algorithm for obtaining invariants 
in disjunctive normal form, but it in fact also works for other templates. 

Our algorithms use satisfiability modulo theory (SMT) solving as an essential 
subroutine; see e.g. Q for an introduction. 

2 Invariants by Predicate Abstraction 

Predicate abstraction abstracts program states using the truth value of a given 
finite set of predicates {tti, . . . ,7rm}: each state a is abstracted by a m-tuple 
of Booleans(7ri((T), . . . , 7rm(cr)). The most precise abstract transition relation 
between such vectors of Booleans is {Bi, . . . , Bm) — >7r {B[, . . . , B'^) if and only 
if there exist a |= A(^j = ^«)' '''' h A(^i — ^^'^ a ^ a' where is the 
transition relation of the program. Then, given an abstract initial state, the set 
of reachable states of the abstract transition relation can be computed within 
finite time (in general, exponential in m) by Kleene iterations (equivalently, by 
computing the transitive closure of -^ti). 

Such an approach is, however, unworkable in general because of the expo- 
nential number of states generated, and thus all current predicate abstraction 
schemes use some stronger form of abstraction Q; for instance, they may sim- 
ply compute a conjunction of the tt^ that holds inductively at a given program 
point. Conjunctive invariants are however fairly restrictive; in this article, we 
consider the problem of obtaining invariants as disjunctions of a fixed number 
of conjunctions of the chosen predicates. 

The set of reachable states of a reactive node, in an unspecified environment, 
is the strongest invariant of an infinite loop: 
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while (true) { 




We shall therefore investigate the problem of automatically finding disjunc- 
tive inductive loop invariants (or, more generally, invariants for predicate ab- 
straction following a fixed template), using predicate abstraction, given a pre- 
condition and an optional postcondition. These invariants shall be minimal with 
respect to the inclusion ordering: there shall be no stronger inductive invariant 
definable by the same template. 

2.1 Solution of a Universally Quantified Formula 

Let us assume a finite set 11 — {tti, . . . , 7r„i} of predicates over the state space 
of the variables of the program. Let n > 1 be an integer. We are looking for 
invariants of the form Ci V • • • V C„ where the Ci are conjunctions of predicates 
from n (most of our techniques are not specific to this template form, see Sec. 12.51 
for extensions). 

Any such invariant can be obtained by instantiating the Booleans hi,j in the 
following template: 



Setting to true(respectively, false) in that template means that predicate tt^ 
appears (respectively, does not appear) in the i-th disjunct Ci. For instance, if 
n = {a; > 0, a; < 1,?/ > 0} and n = 2, then &i i — true, 61.2 = true, 61 3 = false, 
&2,i — false, ^2,2 = false, 62,3 = true correspond to (a; > A a; < 1) V y > 0. 

The problem of finding an invariant reduces to finding suitable values for 
these Booleans. There is therefore a search space for invariant candidates of a 
'priori size 2™". We impose that the invariant / obtained be minimal within 
that search space with respect to the inclusion ordering; that is, there is no /' 
expressive using the template such that V C J. 

Our algorithm can in fact apply to any control-flow graph. For the sake of 
simplicity, we shall describe it on a single loop. 

In Hoare logic, the conditions for proving that a postcondition P holds after 
a while loop whose condition is C, whose transition relation is T and whose 
precondition is S using loop invariant J are: 

• / must contain the precondition, otherwise said Vcr S ^ I. 

• / must be inductive, otherwise said Vcr, a' I AC AT ^ I' , with /' denoting 
/ where all state variables have been primed. 

• / A -iC must imply the postcondition, otherwise said Vcr / A -iC => P. 

If we impose / to be an invariant of the required form, that is, an instanti- 
ation T[B/b] of T obtained by setting the bij variables to certain values Bij, 
these conditions boil down to the values Bi j of the bij variables must satisfy 




(1) 
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certain formulas universally quantified over the state a or on the couple of states 
(T, a' . 

We now make an additional assumption: the states a or a' comprise a fixed, 
finite number of variable^ expressible in a theory T for which there exists 
a satisfiability testing algorithm, in which the predicates tti , . . . , 7r,„ can be 
expressed, and which allows propositional variables. Thus, the problem boils 
down to finding a solution to a conjunction of universally quantified formulas 
of that theory such that the only free variables are the hi j Booleans. 

In the following sections, lowercase a and a' stand for states (thus stand 
for a finite number of variables in the theory 1), uppercase E and E' stand for 
values of these state variables. Similarly, lowercase h stands for the matrix of 
propositional variables {i>i,j)i<i<m,i<j<n) and uppercase B stands for the matrix 
of Booleans (i3ij)i<i<m,i<j<n- F[B/h] thus stands for the formula F where the 
propositional values b have been replaced by the corresponding Booleans in 
-B, and i^[E/cr] stands for the formula F where the state variable a has been 
replaced by the state value E. 

2.2 Naive Algorithm for a Given Postcondition 

In this section, we shall explain how to compute an invariant suitable for proving 
the Hoare triple of a loop, given a precondition, a postcondition (which may be 
true), a loop condition and a transition relation. 

Let us first give an intuition of the algorithm. A universally quantified 
formula VctF with free Boolean variables h can be understood as specifying a 
potentially infinite number of constraints F\Yi/a\ over &, where E ranges all 
possible values for a (in this section, we will lump together a and a' as a 
single a). The idea is to "discover" such constraints one at a time, when they 
are violated. 

Let us now examine the algorithm in more detail; see Sec. [3] for a complete 
algorithm run. The Hk sequence of propositional formulas over the b variables 
will express successive refinements of the constraints during the search of a 
suitable assignment. Initially, we do not know anything about possible solutions, 
SO we set Hi = true. 

We start by taking any initial assignment B^^^ (since any will satisfy Hi) and 
check whether ^F[B'^^'^ /b] is satisfiable, that is, whether one can find suitable 
values for a. If it is not, then B*^^) \= Vcr F. If it is satisfiable, with example 

value El, we add F[Ei/(t] as a constraint — that is, we take H2 = i?i AF[Ei/(t]; 
note that this constraint excludes B^^^ and possibly other values for b. Now find 
an assignment B'^'^'^ satisfying H2, check whether is satisfiable. If it 

is not, then S^^^ |= Vu F. If it is satisfiable, with example value E2, we take 
= -ff2AF[E2/o']; note that H^^ excludes B^^^ and B^'^\ The process continues 
until a suitable assignment is found or the constraints exclude all assignments. 
Note that one Boolean assignment at least is excluded at each iteration, and 
that the number of Boolean assignments is finite (exponential in the number of 
propositional variables in b) . 

^ These variables are not necessarily scalar variables. It is for instance possible to consider 
uninterpreted functions from the integers to the integers, which stand for a countably infinite 
number of integers. 
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More formally: recall that we have reduced our problem of finding an in- 
variant to finding Boolean values Bij such that (-Bij)i<i<m,i<i<" \='^<7 P for 
a certain quantifier-free formula F whose free variables are {bij)i<i<ms<j<n- 
Let us now assume we have a SMT-solver for theory 1, a function SMT{G) 
which given a formula G answers sat{M) when G is satisfiable, where M is 
a model, that is, a suitable instantiation of the free variables in G, or unsat 
otherwise. Wc shall also assume a SAT-solver SAT wiVa similar notations, for 
purely propositional formulas. We run the following algorithm, expressed in 
pseudo-ML: 

H := true 
loop 

match S'yir(H) with 

I unsat — > return "no solution" 

I 5ai((-Bi,j)l<i<m,l<j<ri) 

match SMT{^F[B/b]) with 
I unsat return "solution B" 
I sat(S) H := H AF[T,/(7]. 

This algorithm always terminates, since the main loop iterates over a finite 
set of size 2l''l where \b\ = ran is the size of the matrix b of propositional variables: 
the number of models of the propositional formula H decreases by at least one 
at each iteration, since model B is excluded by the F[S/f7] condition. The loop 
invariant is Vcr F H. This invariant is maintained: whatever we choose 

for S, if Vo- =^ H,\lcF F => HA F[T,/a]. If the algorithm answers 
"no solution" for H, because of the invariant, there is no solution for Vcr F. 
If the solution answers "solution B" , the "unsat" answer for SMT{-^F[B/b]) 
guarantees that B \=ya F. 

Note the use of two solvers: one SAT for the propositional variables b, and 
one SMT for the state variables cr (or (T,a'). The SAT solver is used incremen- 
tally: one only adds new constraints. The SMT solver is always used with the 
same set of predicates, enabling it to cache theory lemmas. 

2.3 Performance Improvements 

The algorithm in the preceding subsection is sound, complete and terminating. 
Yet, experiments have shown that it tends to generate useless iterations. One 
reason is that the system may iterate across instances B that yield the same 
formula T[B/b] up to a permutation of the Ci disjmicts. Another is that the 
system may generate empty disjuncts Ci, or more generally disjuncts that are 
subsumed by the other disjuncts (and are thus useless). We shall explain how 
to deal with those issues. 

2.3.1 Removal of Permutations 

We impose that the disjunction Ci V - • -VCn follows a unique canonical ordering. 

For this, we impose that the vectors of m Booleans (-Bi.j)i<j<m, • • • , {Bn.j)i<j<m 
are in strict increasing order with respect to the lexicographic ordering in- 
duced by false < true. This corresponds to n — 1 constraints (6i,j)i<j<m -<l 
(&i+ij)i<j<m, each of which can be encoded over the propositional variables 
{bij) as formula defined as follows: 
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• Lij„ is a formula whose meaning is that (fcij)j(,<j<m {bi+ij)jo<j<m 

• Li^m+i is false 

• ^iJo f'^'' 1 !i io < "I is defined using Lij^j^i as follows: {^bijg A jo )V 

All such constraints can be conjoined to the initial value of H. 
2.3.2 Removal of Subsumed Disjuncts 

We can replace the SAT-solver used to find solutions for (bij) by a SMT-solver 
for theory 1, in charge of finding solutions for {bij) and for some auxiliary vari- 
ables (71, . . . , (T„ (we actually shall not care about the actual values of tri, . . . , ct„). 
The following constraint expresses that the disjunct Ci„ is not subsumed by the 
disjuncts {Ci)i<i<n,i=^i„: 

3a,„a„K/a]A /\ -C^a./a] (2) 

It therefore suffices to conjoin to the initial value of H the following con- 
straints, for I <io <n: Ci„[ai„/(T] A Ai<i<n,i^io ~'Ci[cri/cr]. 

A variant consists in simply imposing that each of the Ci is satisfiable, 
thus eliminating useless false disjuncts. For this, one imposes 1 < io < the 
constraint dg [(Tig / a] . Equivalently, one can pre-compute the "blocking clauses" 
over the bi^j propositional variable that constrain these variables so that Ci„ is 
satisfiable, and add them as purely propositional constraint. This is the method 
that we used for the example in Sec. [3] (we wanted to keep to propositional 
constraints for the sake of simplicity of exposition) . 

2.4 Iterative Refinement of Invariants 

We have so far explained how to compute any invariant, with or without impos- 
ing a postcondition. If we do not impose a postcondition, the formula true, for 
instance, can denote a wholly uninteresting invariant; clearly we would like a 
smaller one. In this section, we shall explain how to obtain minimal invariants 
within the search space. 

2.4.1 For a Fixed Disjunction Size 

Let us now assume we have the postcondition P (if we do not have it, then 
set P to true). A natural question is whether one can get a minimal inductive 
invariant of the prescribed form for the inclusion ordering; that is, an invariant 
T[Bo/b] such that there exists no B such that T[B/b] C T[Bo/b], by which we 
denote "ia T[B/b] ^ T[Bo/b]. We shall now describe an iterative algorithm that 
first obtains any inductive invariant of the prescribed form, and then performs a 
downwards iteration sequence for the inclusion ordering, until a minimal element 
is found. 

Let us first note that it is in general hopeless to find a global minimum Bq, 
that is, one such that VB T[BQ/b] C T[B/b], for there may exist incomparable 
minimal elements. For instance, consider the program: 
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float i = 0; 
while ( random ) { 

i = i+1; 

if (i > 2) i = 0; 

} 

The least inductive invariant of tliis loop, for variable i, is the set of floating- 
point numbers {0, 1,2}. Now assume our set of predicates is {i < 0,i > 0,i > 
1,1 < 1,1 < 2,i > 2}, and take n — 2; we thus look for disjunctions of two 
intervals. Two minimal incomparable invariants are (i>0Ai<l)V(i>2Ai< 
2), that is, [0, 1] U {2}, and (i > 1 A i < 2) V (i < A i > 0), that is, [1, 2] U {0}. 

Let us now assume we have already obtained an invariant T[B' /b] and we 
wish to obtain a better invariant T[B/b] C T[B' /b]. This last constraint can be 
written as the conjunction of: 

1. T[B/b] C T[B'/b], otherwise said Va T[B/b] ^ T[B' /b]; such a universally 
quantified constraint can be handled as explained in Sec. 12.21 

2. 3a T[B'/b] A -^T[B/b]. Again, as explained in Sec. 12.3.^ one can treat 
such an existentially quantified constraint by using a SMT-solver instead 
of a SAT-solver and adding to H an extra variable a and the constraint 
T[B'lb] A -^T[B/b]. When an invariant T[B/b] is found, the value S of ct 
is a witness that this invariant is strictly included in T[B' /b]. 

It is possible to compute a downward iteration sequence until a minimal ele- 
ment is reached: compute any initial invariant B''^\ then B'^^^ C B'^^^ etc. until 
the system fails to provide a new invariant satisfying the constraints; one then 
takes the last element of the sequence. The termination condition is necessarily 
reached, for the (i3j-^^)i<i<m^i<j<„ Boolean matrices can never be twice the 
same within the sequence (because of the strict descending property). Further- 
more, one can stop at any point B'^^^ within the sequence and get a (possibly 
non minimal) inductive invariant. 

One can replace point 2 above by a weaker strategy, but with the advantage 
of operating only on propositional formulas. Note that B^'^+i) has at least 
one component higher than i?*^'^' for the standard ordering false < true on the 
Booleans, for if all components are lower or equal, then ijf'^+i) D B'^^\ which is 
the opposite direction of what we wish. The strategy is to enforce this condition 
using \/ij{bij A ^b'^j). This is what we used in Sec.|3l 

2.4.2 For Varying Disjunction Sizes 

The algorithms described above work for a given disjunction size n. The method 
for preventing subsumed disjuncts of part Sec. l2.3.^ imDOses that all n disjuncts 
are truly needed: it is thus possible that no solution should be found for n = uq 
while solutions exist for n — uq ~ 1. 

We therefore suggest that, once a minimal invariant /„„ is obtained for n = 
riQ fixed, one looks for an invariant strictly included in !„„ for n — hq + 1. One 
can choose to stop such iterations when no solutions are found for a given n, or 
when a limit on n or a timeout is reached. 
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2.5 Extensions 



Prohibition of Overlapping Modes Our algorithms produce disjunctions 
that cover all reachable states, but that do not define partitions: distinct ab- 
stract states may be overlapping. This may be somewhat surprising and coun- 
terintuitive. 

It is possible to impose that disjuncts should be pairwise disjoint. For any i 
and j, one can impose that Ci and Cj are disjoint by the universally quantified 
formula Wa^Ci V ^Cj . We have explained in the preceding sections how to deal 
with such universally quantified formulas. 

Other Template Forms We have described our algorithm for templates of 
the form Ci V- • -VCm where the Ci are conjunctions constructed from the chosen 
predicates, but the algorithm is not specific to this template shape. Instead of 
disjunctive normal form, one could choose conjunctive normal form, for instance, 
or actually any form [23], though reductions of the search space such as those 




from Sec. l2.3.1] or l2.3.2l mav be more difficult to define. 

Predicate Choice Our method is based on predicate abstraction; so far we 
have not discussed methods for obtaining the predicates, beyond tlie obvious 
syntactic detection. In many systems based on predicate abstraction, one uses 
counterexample-based abstraction refinement (CEGAR): from an abstract trace 
violating the specification, but not corresponding to a concrete trace violat- 
ing the specification, one derives additional predicates for refining the system. 
Because we did not implement such refinement, we shall only give a rough de- 
scription of our CEGAR method. 

If there is no inductive invariant built from the requested template that 
can prove the desired postcondition, the algorithm from Sec. 12.21 will end up 
with an unsatisfiable constraint system. This system is unsatisfiable because of 
the postcondition constraints (otherwise, in the worst case, one would obtain 
a solution yielding the true formula); relevant postcondition constraints can be 
obtained from an unsatisfiable core of the constraint system. One can then 
try removing such constraints one by one until the constraint system becomes 
satisfiable again. Any solution of this relaxed constraint system defines an 
inductive invariant, but one that does not satisfy the postcondition. As with 
the usual CEGAR approach, one could try generating test traces leading from 
the initial states to the complement of the postcondition and staying within the 
invariant; if the postcondition holds, such searches are unsuccessful and yield 
interpolants from which predicates may be mined. 

3 Step-by-step Example of Invariant Inference 

For the sake of simplicity of exposition, in this section we have restricted our- 
selves to pure propositional constraints on the bi^, and satisfiability modulo the 
theory of linear integer arithmetic for the combination of the bi_j and the state 
variables. We consider the following simple program. 

int b, i=0, a; /* precondition a > */ 
while ( i < a ) { 
b = random ( ) ; 
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if (b) 

i = i + 1; 

} 

The predicates are {tti, . . . , TTg} ^ {i = 0,i < 0,i > 0,i a,i < a,i > 
a, 6, -16}. The state variable a stands for {i,a,b). For the sake of simplicity, 
we model i and a as integers in Z, and 6 as a Boolean. We assume the loop 

precondition S' = z = OAa>l- The loop condition is C = i < a, and the 

transition relation is T ^ (6' A i' = i + 1) V {^b' Ai' — i). We choose n ~ 2. 

We shall now run the algorithm described in Sec. 12.21 with the iterative 
refinement of Sec. 12.4.11 For the sake of simplicity, we shall use none of the 
improvements described in the preceding sections that need the Hi to contain 
non propositional variables: no removal of subsumed disjuncts as described in 
Sec. 12. 3. 2l and no strict inclusion enforcement as described in Sec. 12.4.11 

We initialize H as follows: Hi contains Boolean constraints on (6i j)i<i<2,i<j<8 

• That prevent Ci and C2 from being unsatisfiable, using blocking clauses 
as explained in Sec. 12.3.21 one cannot have both i = and i > 0, and so 
on. 

• That force (6ij)i<j<8 {b2.j)i<j<s for the lexicographic ordering -<l 
on Boolean vectors (this avoids getting the same disjunction twice with 
the disjuncts swapped). 

Let us now see the constraint solving and minimization steps. 

1. We perform SAT-solving on Hi and obtain a satisfying assignment b[^1 = 
true, b[]1 = false, b[]1 = false, B^^] = true, b[]1 = false, b[]1 = false, b[^1 = 
true, b[^1 = false, b!^]1 = true, B^^} = fa'se, b!^]1 = false, B^^]! = true, B^^]l = 
false, -82^5 = false, i?2^7 ~ false, i?2^g — true. This corresponds to the 
invariant-candidate r[i?(^V^]; that is, {i = OAi = aAb)\/{i = OAi = aA^b). 
Now is this invariant-candidate truly an inductive invariant? It is not, 
because it does not contain the whole of the set of initial states. SMT- 
solving on S' A -^T[B''^^/b] gives a solution T,i — {i — 0,a — l,b = false). 

We therefore take H2 ^ Hi A F[T,i/a]. 

2. A satisfying assignment S*^^^ of H2 yields the invariant candidate (i = 
OAi^aAb)\/{i = OAi<aAb). Again, SMT-solving shows this is not 

an invariant because it does not contain the initial state E2 = (« = 0, a = 

-l,b = false). Wc therefore take H3 ^ H2 A ^[£2/^]. 

3. A satisfying assignment B^^^ of H^ yields the invariant candidate (i = 
OAi = aAb)\/{i = OAi<a). SMT-solving shows this is not inductive, 

since it is not stable by the transition E3 = (z = 0, a = 1, = false, «' = 

1,6' = true). We therefore take H4 = H3 A Fpg/cr]. 

4. A satisfying assignment B^"^^ of yields the invariant candidate {i = 
A i < a A -16) V b. SMT-solving shows this is not inductive, since it is not 
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stable by the transition S4 = = 1, a = 3, & = true, i' = l,b' = false). We 
therefore take = H4 /\ F[T.4/(t]. 

5. A satisfying assignment S'^^ of H5 yields the invariant candidate (i = 
0Az<a)V(i>0Ai = aA6). SMT-solving shows this is not inductive, 

since it is not stable by the transition T,^ = {i — 0,a — 2,b — false, i' = 

1, b' = false). We therefore take Hq = H5 A Fpg/cr]. 

6. A satisfying assignment i?*^^-' of Hg yields the invariant candidate Ii = 
(i = A i < a) V z > 0. SMT-solving shows this is an inductive invariant, 
which we retain. We however would like a minimal inductive invariant 
within our search space. As described at the end in Sec. 12.4.11 we take Hj 
the conjunction of Hq and a propositional formula forcing at least one of 
the bi,j to be true while B^f^ is false. Furthermore, as described in point 1 

of Sec. 12.4.11 we now consider F2 = F A (T ^ Ii) , which ensures that we 
shall from now on only consider invariants included in Ii . 

7. A satisfying assignment B^'^^ of Hi yields the invariant candidate (z > 
0Az = aA5)Vz<a. SMT-solving shows this is not included in Ii, using 

S7 = (i = -47, a = 181, 6 = true). We therefore take = i/y AFspy/cr]. 

8. Hs has no solution. Ii is thus minimal and the algorithm terminates. 

A postcondition for this loop is thus /i A ^(i < a), thus i > A i ~ a. Note 
that the method did not have to know this postcondition in advance in order 
to prove it. 



4 Construction of the Abstract Automaton 

We can now assume that the set of reachable states is defined by a formula 
/ = /i V • • • V /„ , with each formula Ii meant to define a state qi of the abstract 
automaton. 

To each couple of states {qi,qj) we wish to attach an input-output relation 
expressed as a formula Tij- with variables I, ranging over the set of possible 
current values of the inputs and O over the set of possible current values of the 
outputs. 

Recall that T is a formula expressing the transition relation of the reactive 
node, over variables I (inputs), a (preceding state), a' (next state) and O 
(outputs). Then the most precise transition relation is: 

T,,j ^3c7,a' I,Al,[a'/a]AT (3) 

Any over-approximation of this relation is a sound transition relation for the 
abstract automaton. If we have a quantifier elimination procedure for the theory 
in which T and the Ii are expressed, then we can compute the most precise Tij 
as a quantifier-free formula; but we can also, if needed, use an approximate 
quantifier elimination that yields an over-approximation. 

Let us consider, as an example, the following Lustre node. It has a single 
integer input dir and a single integer output out. If dir is nonzero, then it is 
copied to out; else out decays to zero by one unit per clock cycle: 
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node clicker(dir : int) returns (out : int); 
let 

out = if dir>l 
then d i r 

else if dir < —1 
then d i r 

else — > if pre out < —1 

then (pre out) + 1 
else if pre out > 1 

then (pre out) — 1 
else 0; 

tel . 

In mathematical notation, let us denote dir by d, pre out by o and out by o'. 
The state consists in a single variable o, thus a is the same as o. The transition 
relation then becomes 

A r (d 7^ A o' d) V (d A o > 1 A o' ^ o - 1) 

^ { V(d A o < -1 A o' = o + 1) V (d = A o' = o = 0) *■ 

Suitable predicates are {o<— l,o = 0, o>l}, thus defining the set of reachable 

states as a partition /_i V /o V /i where /_i=o<— 1, /o=o=:0, /i^o>l. 

Let us compute tq.i = 3o, d Iq A Ii [o'/o] A T, that is, 3o, o'o — OAo' > lAT: 
we obtain d > 0. More generally, by computing Tij for all i,j £ { — 1,0,1}, 
we obtain the automaton below; the initializers (left hand side of the Lustre 
operator — >) define the initial state qq. 



d<0 




d>0 



Note that the resulting automaton is nondeterministic: in state qi (respec- 
tively, q-i), representing o > (resp. o < 0), if c? = 0, then one can either 
remain in the same state or return to the initial state go- 



5 Related Work 

There have been many approaches proposed for finding invariants and proving 
properties on transition systems. [21] surveys earlier ones. 

The problem of finding the control structure of reactive nodes written in e.g. 
Lustre has been studied previously, most notably by B. Jeannet [l2, 1^ 14 1, but 



with respect to a property to prove: the control structure is gradually refined 
until the property becomes provable. This supposes that we know the desired 
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property in advance, which is not always the case in a modular setting: the 
property may pertain to another module, and may not be easy to propagate 
back to the current module. The NBac tool performs such an analysis using 
convex polyhedra as an abstract domain. More recent methods for refining 
the control structure of reactive nodes include We have already proposed 
some modular abstractions for reactive nodes, but these targeted specific filters 
with no control structure 15| or needed some precomputation of the control 
structure [l7j . 

The problem of finding disjunctive invariants has been much studied espe- 
cially in the context of convex numerical domains, such as polyhedra: if the 
property to prove is not convex, or relies on a non-convex weakest precondition, 
then any analysis inferring convex invariants will fail. A number of methods 
have been proposed to infer invariants consisting in finite disjunctions of ele- 
ments of an abstract domain: some distinguish states according to the history 
of the computation, as in trace partitioning [l9| . some recombine elements ac- 



cording to some affinity heuristics 



or decompose the transition relation 
Other methods select predicates 
Some recent methods leverage the 



according to some "convexity witness' 
with which to split the control state [ 
power of modern SMT-solvers to impose convex invariants only at a limited 
subset of program points, and distinguish all execution paths between them, 
therefore acting as applying a complete trace partitioning between the points in 
the distinguished subset 17, ^; the method in the present article also considers 
a limited subset of program points (e.g. loop heads), but can infer disjunctive 
invariants at these points too. 

Both polyhedral abstraction and predicate abstraction search for an induc- 
tive invariant /; then, in order to prove that a certain property P always holds, 
one shows that / is included in P. In all static analyzers by abstract interpre- 
tation known to the authors, some form of forward analysis is used: the set 
of initial states influences the invariant / obtained by the system. In contrast, 
with fc-induction, as in the Kind tool [llj the initial states play a very limited 
role (essentially, they invalidate P if there exists a trace of k states starting in 
an initial state such that one of them does not satisfy P) . A known weakness of 
pure fc-induction is that it may fail to prove a property because it bothers about 
bad, but unreachable, states. If one has obtained an invariant / by other meth- 
ods, one can use it to constrain the system and get rid of these bad, unreachable 
states. Thus, abstraction-based methods and fc-induction based methods nicely 
combine. 

The algorithms presented in this article can be seen as a form of minimization 
constrained by a universally quantified formula Vcr F, achieved by maintaining a 
formula H such that Vcr F ^ H , H being a conjunction of an increasingly large 
number of constraints generated from F "on demand" : a constraint is added 
only if it is violated by the current candidate solution. This resembles quantifier 
elimination algorithms we have proposed for linear real arithmetic [l6| : one 
difference is that the termination argument is simpler: with a finite number n 
of Booleans as free variables, a new added constraint suppresses at least one 
of the 2" models, thus there can be at most 2" iterations; in comparison the 
termination arguments for arithmetic involve counting projections of polyhedra. 

Reductions from invariant inferences to quantifier elimination, or to min- 
imization constrained by a universally quantified formula, have already been 
proposed for numerical constraints, where the unknowns are numerical quanti- 
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ties, in contrast to the present work where they are Booleans 17| . 

Reductions from loop invariant inference in predicate abstraction to Boolean 
constraint solving were introduced in [loj . but that work assumed a postcon- 
dition to prove, as opposed to minimizin g th e result. The problem we solve is 
the same as the one from the later work [23|, Sec. 5], but instead of concretely 
enumerating the (potentially exponential) set of paths inside the program (corre- 
sponding to all disjuncts in a disjunctive normal form of the transition relation), 
each path corresponding to one constraint, we lazily enumerate witnesses for 
such pat hs. Unfortunately, we do not have an implementation of the algorithm 
from [23| at our disposal for performance comparisons. 

More generally, a number of approaches for invariant inference based on 
constraint solving have been proposed in the last years, especially for reducing 
numerical invariant inference to numerical constraint solving |3l or mathe- 
matical programming 0. One difference between these constraint approaches 
and ours, except that our variable are Boolean and theirs are real, is that we 
use a lazy constraint generation scheme: we generate constraints only when a 
candidate solution violates them, a method long known in mathematical pro- 
gramming when applying cuts. We applied a similar technique for quantifier 
elimination for linear real arithmetic, using lazy conversions to conjunctive nor- 
mal form [l6l |. A recent max-policy iteration considers each path through the 
loop as a constraint, and lazily selects a combination of paths, using SMT- 
solving to point the next relevant path [5]. 



6 Conclusion 

We have given algorithms for finding loop invariants, or, equivalently, invariants 
for reactive nodes, given as templates with Boolean parameters. Using disjunc- 
tive invariants for reactive nodes, one obtains an abstraction of the reactive node 
as a finite automaton with transitions labeled with guards over node inputs. 

If a system consists of a number of nodes, then some of these nodes may be 
replaced by their abstract automaton, resulting in a more abstract system whose 
behaviors include all behaviors of the original system. This new system can in 
turn be analyzed by the same method. Thus, our method supports modular 
and compositional analysis. 

We provide the Candle tool, built using the Yices SMT-solver and the 
MJOLLNIR quantifier elimination procedure, which computes abstractions of 
Lustre nodes. 
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